Suche senden
Hochladen
ISSA Infraguard ISACA Tampa 06192009
•
1 gefällt mir
•
12,730 views
G
guest9b14c31
Folgen
Business Logic Flaws
Weniger lesen
Mehr lesen
Technologie
Wirtschaft & Finanzen
Business
Melden
Teilen
Melden
Teilen
1 von 50
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
WebAppGeneXpress
WebAppGeneXpress
supertime2000
Autonomy, disclosure and authority with reference to South Asian patients and...
Autonomy, disclosure and authority with reference to South Asian patients and...
Hospiscare
The pastoral challenge of people dying at home
The pastoral challenge of people dying at home
Hospiscare
Honiton cluster Advance Care planning presentation
Honiton cluster Advance Care planning presentation
Hospiscare
A psychological perspective on the inevitability of pain and suffering
A psychological perspective on the inevitability of pain and suffering
Hospiscare
Advance care planning 21 sept 11
Advance care planning 21 sept 11
Hospiscare
WebAppGeneXpress_How_To_Presentation
WebAppGeneXpress_How_To_Presentation
supertime2000
Spiritual causes of physical pain
Spiritual causes of physical pain
Hospiscare
Empfohlen
WebAppGeneXpress
WebAppGeneXpress
supertime2000
Autonomy, disclosure and authority with reference to South Asian patients and...
Autonomy, disclosure and authority with reference to South Asian patients and...
Hospiscare
The pastoral challenge of people dying at home
The pastoral challenge of people dying at home
Hospiscare
Honiton cluster Advance Care planning presentation
Honiton cluster Advance Care planning presentation
Hospiscare
A psychological perspective on the inevitability of pain and suffering
A psychological perspective on the inevitability of pain and suffering
Hospiscare
Advance care planning 21 sept 11
Advance care planning 21 sept 11
Hospiscare
WebAppGeneXpress_How_To_Presentation
WebAppGeneXpress_How_To_Presentation
supertime2000
Spiritual causes of physical pain
Spiritual causes of physical pain
Hospiscare
Autonomy, disclosure and authority with reference to South Asian patients and...
Autonomy, disclosure and authority with reference to South Asian patients and...
Hospiscare
Cross Cultural Practice at the End of Life
Cross Cultural Practice at the End of Life
Hospiscare
Supertime2000 Class Timetable Software
Supertime2000 Class Timetable Software
supertime2000
Educación, reproducción social y sociologia
Educación, reproducción social y sociologia
Elizabeth Dinorah Aguirre Yuh
Use case Patterns
Use case Patterns
Vitaly Grigorash
Управление качеством требований
Управление качеством требований
Vitaly Grigorash
World Religions PowerPoint
World Religions PowerPoint
adanner81
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Zilliz
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Lonnie McRorey
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Sri Ambati
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
Weitere ähnliche Inhalte
Andere mochten auch
Autonomy, disclosure and authority with reference to South Asian patients and...
Autonomy, disclosure and authority with reference to South Asian patients and...
Hospiscare
Cross Cultural Practice at the End of Life
Cross Cultural Practice at the End of Life
Hospiscare
Supertime2000 Class Timetable Software
Supertime2000 Class Timetable Software
supertime2000
Educación, reproducción social y sociologia
Educación, reproducción social y sociologia
Elizabeth Dinorah Aguirre Yuh
Use case Patterns
Use case Patterns
Vitaly Grigorash
Управление качеством требований
Управление качеством требований
Vitaly Grigorash
World Religions PowerPoint
World Religions PowerPoint
adanner81
Andere mochten auch
(7)
Autonomy, disclosure and authority with reference to South Asian patients and...
Autonomy, disclosure and authority with reference to South Asian patients and...
Cross Cultural Practice at the End of Life
Cross Cultural Practice at the End of Life
Supertime2000 Class Timetable Software
Supertime2000 Class Timetable Software
Educación, reproducción social y sociologia
Educación, reproducción social y sociologia
Use case Patterns
Use case Patterns
Управление качеством требований
Управление качеством требований
World Religions PowerPoint
World Religions PowerPoint
Kürzlich hochgeladen
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Zilliz
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Lonnie McRorey
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Sri Ambati
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Pixlogix Infotech
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
Kürzlich hochgeladen
(20)
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
ISSA Infraguard ISACA Tampa 06192009
1.
Mo’ Money Mo’ Problems Making
A LOT more money on the Web the black hat way Jeremiah Grossman Founder & Chief Technology Officer 06.19.2009 © 2009 WhiteHat, Inc.
2.
Jeremiah Grossman • Technology
R&D and industry evangelist (InfoWorld's CTO Top 25 for 2007) • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat, Inc. | Page 2
3.
WhiteHat Security • 200+
enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted hundreds of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
4.
Threat Capabilities Threats /
Attackers Fully Targeted Discover unlinked / hidden functionality Exercise business processes Customize Business Logic Flaw Exploits ‘The Analyzer’, allegedly hacked into a multiple financial institutions using SQL Injection to steal credit and debit card Leverage information leakage numbers that were then used by thieves in several Interact with other customers countries to withdraw more than $1 million from ATMs. Perform multi-stage attacks Geeks.com, Guess, Petco, CardSystems, USC, etc. Directed Opportunistic Authenticated crawling Authenticated attacks Cyber criminals use XSS vulnerabilities to create very Intelligent HTML form submission convincing Phishing scams that appear on the real- website as opposed to a fake. JavaScript malware Test for technical vulnerabilities steals victims session cookies and passwords. Customize exploits Y! Mail, PayPal, SunTrust, Italian Banks,etc SQL Injection (data extraction) Cross-Site Scripting (Phishing) Random Opportunistic Unauthenticated crawling With Mass SQL Injection automated worms insert Unauthenticated attacks malicious JavaScript IFRAMEs (pointing to malware servers) into back-end databases and used the capability Test all attack surface discovered to exploit unpatched Web browsers. According to Destructive attacks Websense, “75 percent of Web sites with malicious code Automated HTML form submission are legitimate sites that have been compromised.” SQL Injection (code insertion) Persistent Cross-Site Scripting Advanced Filter Evasion Techniques Generic exploits © 2009 WhiteHat, Inc. | Page 4
5.
Website Classes of
Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* WASC 24 (+2)* Classes of Attacks http://www.webappsec.org/projects/threat/ © 2009 WhiteHat, Inc. | Page 5
6.
WhiteHat Security Top
Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Session Fixation Cross-Site Request Forgery Insufficient Authentication HTTP Response Splitting Total Websites: 1,031 Identified vulnerabilities: 17,888, Unresolved: 7,157 (60% resolution rate) Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82% Lifetime average number of vulnerabilities per website: 17 Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63% Current average of unresolved vulnerabilities per website: 7 WhiteHat Website Security Statistics Report (March 2009) http://www.whitehatsec.com/home/resource/stats.html © 2009 WhiteHat, Inc. | Page 6
7.
QA overlooks them Tests
what software should do, not what it can be made to do Scanners can’t identify them Lack intelligence and don’t know if something worked (or not) WAFs / IDSs can’t defend them HTTP requests appear completely normal Hackers exploit them 230+ millions websites, 1+ million using SSL © 2009 WhiteHat, Inc. | Page 7
8.
Promo codes for cheapskates Online
advertising campaigns distribute coupon and promo codes redeemable for discounts and other freebies. Some codes are more valuable than others. © 2009 WhiteHat, Inc.
9.
• X% and
$X off sales • Free Shipping • 2 for 1 Specials • Add-Ons & Upgrades © 2009 WhiteHat, Inc. | Page 9
10.
MacWorld Hacker VIP Client-Side
Hacking Back to Back Free MacWorld Platinum Pass ($1,695) http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html http://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html © 2009 WhiteHat, Inc. | Page 10
11.
Free Pizza Tastes
Better March 31, 2009... 1. Go to the Domino's Pizza site. 2. Order a medium one-topping pizza. 3. Enter coupon code “BAILOUT”. FREE! Still have to go pick it up! © 2009 WhiteHat, Inc. | Page 11
12.
Share the Knowledge “Spoke
to a Domino's rep, who told me the free-pizza code was created internally for a promotion that was never actually green-lit.” 11,000 X $7.00 = $70,000 Oops! http://consumerist.com/5193012/dominos-accidentally-gives-away-11000-pizzas-in-bailout-promotion http://news.cnet.com/8301-13845_3-10207986-58.html http://offtopics.com/sales-coupons-promo-codes/1797-free-papa-johns-pizza-coupon-code-hack.html © 2009 WhiteHat, Inc. | Page 12
13.
Other Tricks • Guess
/ Brute Force • (No CAPTCHAs) • Stacking Multiple Codes • Delete Cookies (Don’t Forget Flash) © 2009 WhiteHat, Inc. | Page 13
14.
Low-Tech Google Hacking When Google
becomes a major source of public record, interesting opportunities begin to arise. © 2009 WhiteHat, Inc.
15.
Super BlackHat SEO Target
large universities with public webcams and redirect the feeds to a subscription website. Call in bomb threats (hoax) to Boston College, Purdue, Clemson, University of North Carolina, and Florida State to drive traffic. Advertise live police response video footage via Skype and profit ($?) Juvenile male suspect arrested. http://www.bcheights.com/home/index.cfm? event=displayArticlePrinterFriendly&uStory_id=14cd304c-26e2-40ab-a51d-4a2d79274cd9 © 2009 WhiteHat, Inc. | Page 15
16.
Google Earth Recon Roofer
Tom Berge used the aerial photographs of towns across the world, to pinpoint museums, churches and schools across south London with lead roof tiles (darker colour). Berge and his accomplices used ladders and abseiling ropes to strip the roofs and took the lead away (£100,000) in a stolen vehicle to be sold for scrap. sentenced to eight months in prison – suspended for two years – after confessing to more than 30 offenses. http://www.independent.co.uk/news/uk/crime/thief-googled-163100000-lead-roofs-1645734.html http://www.telegraph.co.uk/news/uknews/4995293/Google-Earth-used-by-thief-to-pinpoint-buildings-w valuable-lead-roofs.html © 2009 WhiteHat, Inc. | Page 16
17.
Google Maps vs.
Spammers http://blumenthals.com/blog/2009/02/25/google-maps-vs-locksmiths-spammers-spammers-winning/ http://thehollytree.blogspot.com/2008/02/scam-alert-phony-israeli-owned.html © 2009 WhiteHat, Inc. | Page 17
18.
Buyers Remorse People order
things online, then change their minds, and cancel. Strict management processes need to be in place. © 2009 WhiteHat, Inc.
19.
Quantina Moore-Perry, 33,
of Greensboro, N.C., Ordered (then cancelled) over 1,800 items online at QVC including handbags, housewares, jewelry and electronics Products were shipped anyway Auctioned off on eBay Profited $412,000 Woman admits fleecing shopping network of more than $412,000 http://www.theregister.co.uk/2007/10/30/website_fraud_guilty_plea/ http://consumerist.com/consumer/crime/woman-exploited-bug-on-qvc-website-to-steal-over-400 merchandise-317045.php http://www.msnbc.msn.com/id/21534526/ © 2009 WhiteHat, Inc. | Page 19
20.
“QVC became aware
of the problem after being contacted by two people who bought the items, still in QVC packaging, on the online auction site.” Pleaded guilty in federal court to wire fraud. © 2009 WhiteHat, Inc. | Page 20
21.
FTC - Unordered
Merchandise http://www.ftc.gov/bcp/edu/pubs/consumer/products/pro15.shtm © 2009 WhiteHat, Inc. | Page 21
22.
iCan fix you
iPod Sometimes electronics break or are defective and customers would like to return the item. Online systems are designed to facilitate this process. © 2009 WhiteHat, Inc.
23.
Nicholas Arthur Woodhams,
23 from Kalamazoo, Michigan sets up shop online to repair iPods. Abuse Apple's Advance Replacement Program by guessing iPod serial numbers backed with Visa-branded gift cards ($1 pre-auth). Repeat the process 9,075 times, resell the “replacements” at heavily discounted prices ($ $49), and deny any Apple credit charges. Charged with trademark infringement, fraud, and money-laundering. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130136&intsrc=news_ts_head http://www.macworld.com/article/139522/23yearold_michigan_man_busted_for_ipod_fraud.html http://www.appleinsider.com/articles/08/06/26/apple_makes_example_of_ipod_repairman_in_lawsuit.html http://launderingmoney.blogspot.com/2009/03/money-laundering-charges-for-kalamazoo.html © 2009 WhiteHat, Inc. | Page 23
24.
Scams that scale “Federal
prosecutors have asked U.S. District Court Judge Robert Bell to let them seize real estate and personal property -- including a 2004 Audi and a 2006 drag racer -- as well as more than $571,000 in cash belonging to Woodhams, all alleged to be proceeds from his scam.” © 2009 WhiteHat, Inc. | Page 24
25.
Magic Cookies Online merchants
and advertisers enlist the services of affiliate networks to drive traffic and/or customers to their websites in exchange for a share of the revenue generate. © 2009 WhiteHat, Inc.
26.
The Players Merchant: Pays
commissions to affiliates for customer clicks, account sign-ups, purchases, etc. Affiliate: Collects commissions for driving customers towards merchants in the form of cost per-click (CPC) or cost per-acquisition (CPA). Customer: The person who buys stuff or signs-up for promotions. Affiliate Network: Technology framework connecting and monitoring the merchant, affiliate, and customer. © 2009 WhiteHat, Inc. | Page 26
27.
© 2009 WhiteHat,
Inc. | Page 27
28.
The way it’s
supposed to 1. Affiliate signs-up with an affiliate network and places special links on their web page(s) <a href=”http://AffiliateNetwork/p? program=50&affiliate_id=100/”>really cool product!</a> 2. When users click the link their browser is sent through affiliate network where they receive a special tracking cookie and then redirected to the merchant page. Set-Cookie: AffiliateID=100 3.If the customer buys something within X time period (i.e. affiliate cookie still exists) the affiliate receives a commission. Using effective SEO tactics... © 2009 WhiteHat, Inc. | Page 28
29.
© 2009 WhiteHat,
Inc. | Page 29
30.
© 2009 WhiteHat,
Inc. | Page 30
31.
http://hubpages.com/hub/Google_Adsense_King_-_1_Million_Dollars_Check_-_Markus_Frind_Exclusive_Interview
© 2009 WhiteHat, Inc. | Page 31
32.
“It was a
check for 2 months because the first check they sent was so big it was rejected by his bank.” © 2009 WhiteHat, Inc. | Page 32
33.
Cookie-Stuffing Circa 2002 Nothing
besides pesky affiliate networks terms of service requires the user to actually “click a link” to be cookied with an affiliate ID. Instead of: <a href=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>really cool product!</a> Use: <img src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”> or: <iframe src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/” width=”0” height=”0”></iframe> Invisible! Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud http://www.cgisecurity.org/2008/08/affiliate-progr.html © 2009 WhiteHat, Inc. | Page 33
34.
Aggressive affiliates figure
out they can post their code anywhere online and not just on their own websites (message boards, guest books, social networks, etc). By 2005, Merchants and Affiliate Networks got wise to cookie stuffing, start monitoring referers and conversion rates, and began kicking out suspicious affiliates. http://www.blackhatworld.com/blackhat-seo/ http://www.seoblackhat.com/forum/ © 2009 WhiteHat, Inc. | Page 34
35.
Cookie-Stuffing Circa 2007 Affiliates
start posting their code on SSL pages. “Clients SHOULD NOT include a Referer header field in a (non- secure) HTTP request if the referring page was transferred with a secure protocol.” - RFC 2616 Bottom line: No referer is sent to the affiliate to be tracked. FYI: Not every browser behaves this way, but there are many other methods to do the same using meta-refreshes and JavaScript. SEO Code Injection http://technicalinfo.net/papers/SEOCodeInjection.html © 2009 WhiteHat, Inc. | Page 35
36.
Trading on Semi- public
Information Insider: someone with a fiduciary role within a company. A corporate executive, investment banker or attorney. Not a hacker. © 2009 WhiteHat, Inc.
37.
Getting the word
out... Business Wire provides a service where registered website users receive a stream of up-to-date press releases. Press releases are funneled to Business Wire by various organizations, which are sometimes embargoed temporarily because the information may affect the value of a stock. Press release files are uploaded to the Web server (Business Wire), but not linked, until the embargo is lifted. At such time, the press release Web pages are linked into the main website and users are notified with URLs similar to the following: http://website/press_release/08/29/2007/00001.html http://website/press_release/08/29/2007/00002.html http://website/press_release/08/29/2007/00003.html Before granting read access to the press release Web page, the system ensures the user is properly logged-in. © 2009 WhiteHat, Inc. | Page 37
38.
Just because you
cannot see it does not mean it is not there... An Estonian financial firm discovered that the press release Web page URLs were named in a predictable fashion. And, while links might not yet exist because the embargo was in place, it didn’t mean a user couldn’t guess at the filename and gain access to the file. This method worked because the only security check Business Wire conducted was to ensure the user was properly logged-in, nothing more. According to the SEC, which began an investigation, Lohmus Haavel & Viisemann profited over $8 million by trading on the information they obtained. SEC Vs. The Estonian Spiders http://www.webpronews.com/topnews/2005/11/02/sec-vs-the-estonian-spiders © 2009 WhiteHat, Inc. | Page 38
39.
A Ukrainian hacker
breaks into Thomson Financial and steals a gloomy results announcement for IMS Health, hours before its release to the stock market ... • Hacker enters ~$42,000 in sell orders betting the stock will fall • The stock fell sharply making the hacker ~$300,000 • Red flags appear and the SEC freezes the funds • Funds are ordered to be released, “Dorozhko’s alleged ‘stealing and trading’ or ‘hacking and trading’ does not amount to a violation” of securities laws, Judge Naomi Reice Buchwald • The Times speculates that the DoJ has simply deemed the case not worth pursuing - probably due to the difficulties involved in gaining cooperation from local authorities to capture criminals in Ukraine. Ukrainian Hacker Makes a Killing in Stock Market Fraud http://blog.wired.com/27bstroke6/2008/02/ukrainian-hacke.html Ukrainian hacker may get to keep profits http://www.vnunet.com/vnunet/news/2209899/hacker-keep-profits © 2009 WhiteHat, Inc. | Page 39
40.
Pump and Dump
Scams Evolve A large traffic spike on a Sunday night pushed a 2002 story of a bankruptcy filling by United Airlines to the most viewed business story category on the South Florida Sun Sentinel's Web site. Google indexed the new link and the story appeared on Google News. A Miami advisory firm performed a Google search for bankruptcies Monday morning that returned the 2002 UAL story, which they mistook as being current, and was subsequently distributed through the Bloomberg News Service. United Airlines' stock price sank more than 75%, slipping down from $12 to a $3 level before trading was suspended. After the dust settled, shares returned to near normal levels. http://blog.wired.com/27bstroke6/2008/09/six-year-old-st.html http://consumerist.com/5048362/google-placed-wrong-date-on-ual-story-stock-yo+yo-ensues http://www.forbes.com/2008/09/08/ual-tribune-bankruptcy-biz-media-cz_ja_tvr_0908ualstory.html http://www.theregister.co.uk/2008/09/10/ua_bankruptcy_farce/ © 2009 WhiteHat, Inc. | Page 40
41.
Hackers for Hire The
cybercrime industry posses sophisticated business models that include Software-as-a-Service, SLA agreements, and discrete distribution of services. Hackers and Botnets can be easily rented. © 2009 WhiteHat, Inc.
42.
© 2009 WhiteHat,
Inc. | Page 42
43.
Online Permit Management In
2006, the Brazilian environment ministry did away with paper dockets and implemented an online program to issue permits documenting how much land a company could legally log and tracking the timber leaving the Amazon state of Para. "We've pointed out before that this method of controlling the transport of timber was subject to fraud.” André Muggiati Campaigner Amazon office in Manaus Greenpeace International © 2009 WhiteHat, Inc. | Page 43
44.
Amazonian Rainforest Hack Allegedly
107 logging companies hired hackers to compromised the system, falsifying online records to increase the timber transport allocations. Police arrested 30 ring leaders. As a result an estimated 1.7 million cubic metres of illegal timber have been smuggled out of the Amazon, enough to fill 780 Olympic-sized swimming pools. http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazo http://www.scientificamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16 © 2009 WhiteHat, Inc. | Page 44
45.
$833,000,000 Tip of the
iceberg: same computer system is used in two other Brazilian states. http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazo http://www.scientificamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16 © 2009 WhiteHat, Inc. | Page 45
46.
Other Permits Managers
© 2009 WhiteHat, Inc. | Page 46
47.
Hiring the Good
Guys KPMG audited 70 FAA Web applications and identified 763 high-risk vulnerabilities “By exploiting these vulnerabilities, the public could gain unauthorized access to information stored on Web application computers. Further, through these vulnerabilities, internal FAA users (employees, contractors, industry partners, etc.) could gain unauthorized access to ATC systems because the Web applications often act as front-end interfaces (providing front-door access) to ATC systems.” http://news.cnet.com/8301-1009_3-10236028-83.html http://www.darkreading.com/security/government/showArticle.jhtml http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf © 2009 WhiteHat, Inc. | Page 47
48.
Business logic flaws
= $$$ Prime target for the bad guys. Test often, test everywhere Threat Model. Not all vulnerabilities can be identified in the design phase, by analyzing the code, or even during QA. Detect attacks by profiling HTTP requests appear legitimate, but active attacks will appear anomalous. He who has the most points, credits, or in-system cash is probably a cheater. © 2009 WhiteHat, Inc. | Page 48
49.
Google Hacking -
$ low six figures Scamming eCommerce - $ mid six figures Manipulating return policy systems - $ high six figures Exploiting Affiliate Networks - $ seven figures Gaming the stock market - $ high seven figures defrauding online permits - $ high nine figures Free pizza with secret coupon codes... PRICELESS © 2009 WhiteHat, Inc. | Page 49
50.
Questions? Why aren’t you
doing this? Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.
Jetzt herunterladen